[Cdrecord-support] Cdrtools-2.01.01a72 ready
jfeise at feise.com
Thu Jan 14 16:55:24 CET 2010
Joerg Schilling wrote on 01/14/10 01:16:
> "Joe Feise" <jfeise at feise.com> wrote:
>> On Mon, January 11, 2010 03:47, Joerg Schilling wrote:
>>> NEW features of cdrtools-2.01.01a72:
>> With BerliOS having been compromised (see
>> and no MD5 hashes for recent versions of cdrtools in
>> ftp://ftp.berlios.de/pub/cdrecord/alpha/!MD5_SUMS, it may be prudent to be
>> rather careful with new versions of cdrtools.
> Please note: heise.de is a website that is primarily interested in a high
> click rate on ads and as a result the reports are not always correct but
> rather intended to create interest....
I know several people at heise.de personally, and I do know that your assertion
Further, you yourself post there...
> We checked our servers and there was no manipulation on download files or
> other important files.
With all due respect, I prefer to verify myself if what I download matches MD5
and/or GPG signatures. Trust but verify...
> Even GPG signatures do not help. I know of at least one tar archive on
> ftp.gnu.org that has an apparently matching GPG signature but the content
> of the tar archive differs from the original.
While that may be the case, that has nothing to do with BerliOS or cdrtools.
It is nothing more but a Red Herring.
> I know that I can still trust BerliOS.
Good for you. You have not given *me* any assurance that *I* can trust the
More openness would be appreciated.
An example how such things *should* be handled is how the Apache Infrastructure
Team handled a compromise of their servers last year:
More information about the Cdrecord-support